In this example the pulic IP (IP of the outside of the PIX) is redirected to 10.10.10.10 if the packet is calling for port 25.
You create a port map with the PIXs outside interface IP and the inside host over that specific port. Only downside you can't port map that pulic IP to two different hosts with the same port (eg 80 - can't have 2 web servers running port 80 or how would the PIX know who to send it to). But it will work with hosts using different ports (eg a ftp server, mail server, dns server).
The network mask relates to both global_ip and local_ip. For host addresses, always use 255.255.255.255 (makes sense as it's one to one mappings). For network addresses, use the appropriate class mask or subnet mask; for example, for Class A networks, use 255.0.0.0. An example subnet mask is 255.255.255.224.
The 0 0 stands for 1) the maximum number of connections permitted through the static at the same time and 2) the embryonic connection limit (an embryonic connection is one that has started but not yet completed. Set this limit to prevent attack by a flood of embryonic connections. The default is 0, which means unlimited connections).
1) Mappings must be one to one, so they must have the same mask. Eg. a host is 255.255.255.255, a /24 network must map with a /24 otherwise you won't have a one to one mapping. If your local subnet is a /27, make your global a /27.
2) Static commands are secure without this option but it does add a higher level of security (can block syn attacks for example). If 0 0 isn't specified the PIX will add 0 0 by itself. 0 0 is the default (no limit on number of connections). If you want to specify the number of connections, it really depends on your network (ie what is the limit of your normal legit traffic) and your servers capacity (how much they can handle). You must be careful with this as you can block your normal traffic that you want to accept. You must know your traffic patterns before enabling this option.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...